We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Directors and Officers Settle Over Yahoo Hack: A New Chapter in Derivative Litigation?
BlogData Security Law Blog

Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees.

But the former officers and directors of Yahoo! Inc. agreed to pay $29 million to settle charges that they breached their fiduciary duties in the handling of customer data during a series of cyberattacks from 2013 until 2016. Three billion Yahoo user accounts were compromised in the attacks, making it one of the largest reported hacks in U.S. history. The settlement puts an end to three derivative lawsuits filed in Delaware and California against the company’s former leadership team and board including ex-CEO Marissa Mayer.

Under the settlement, the lawyers will walk away with just under $11 million in fees and expenses, with the remaining $18 million paid to Yahoo! (now called Albata, Inc.). The settlement will be funded by insurance.

A derivative lawsuit gives the owners of a company – the shareholders – a way to hold corporate directors and management accountable for their actions. To do so, shareholders file a claim on the company’s behalf, with any money recovered going to the corporation, not the individual shareholders, because the violation only harmed the organization.

The backstory of the Yahoo D&O settlement might never become public. In court filings, the parties have called the settlement fair, in the best interest of all parties and pointed to a laundry list of data security improvements have been put in place at the company. But insurers don’t pay millions of dollars to settle a derivative case – especially when there’s a low likelihood of success that the shareholders would prevail in the case – without some concern that their exposure would be greater than the settlement.

Compare jurisdictions:Data Security & Cybercrime

“I make an effort to read at least several articles each day and regularly share the particularly relevant or interesting articles with my colleagues. I greatly appreciate the inclusion of the Lexology service by the State Bar of Texas and have recommended that my friends and colleagues join the Corporate Counsel Section of the State Bar in order to obtain this service for themselves.”